Demystifying The Contours Of The Draft National Ecommerce Policy

In recent times, with increasing digitisation, the ecommerce sector has witnessed unprecedented growth, resulting in a paradigm shift in the manner of doing business. The Indian ecommerce market, although currently at a nascent stage, is expected to grow from $38.5 Bn in 2017 to $200 Bn by 2026.

With this background, while the Draft National Ecommerce Policy issued by the Department for Promotion of Industry and Internal Trade (DPIIT) on 23 February 2019 (Draft Policy) appears to be a step in the right direction, there are a number of concerns which have not been addressed.

In its current form, the Draft Policy is an ambitious document affecting various domestic and international stakeholders – startups, payment aggregators and payment systems, fintech companies, content providers, MSMEs, and logistics companies.

While the policy seeks to give a boost to several government initiatives reliant on e-commerce, including existing flagship programs such as ‘Make in India’, ‘Startup India’, and ‘Digital India’ and other internet-based enterprises such as Sugamya Bharat Abhiyan, BHIM and GeM which facilitate commercial activities through the use of internet abled devices, it does not, however, address several concerns including data privacy and consumer protection.

Given that this sector is predominantly driven by data and technology, it is imperative for a consumer-oriented economy like India to establish a comprehensive, unambiguous regulatory framework.

Data As An Asset And Data Privacy

The constant evolution of the digital economy has resulted in greater usage of the internet, which in turn, has led to huge volumes of data generation. While several corporations have adopted business models to monetise such data, issues surrounding the right to use and exploit such data (which is essentially owned by individuals/entities, being users of such platforms) continue to plague the sector – a significant part of the Draft Policy focuses on this aspect.

In terms of the Draft Policy, every ecommerce entity doing business in India is required to be a registered business in India. While the Draft Policy recognises the need to promote domestic alternatives to foreign-based clouds, it has identified the provision of budgetary support as the only means of providing an incentive to promote such startups.

Given that majority of the data generated digitally is owned by large MNCs, monetary incentives alone would not provide the desired result of promoting domestic enterprises which currently lack the requisite technical expertise.

Further, proponents of data sharing across jurisdictions argue that data should be made available to other companies either through compulsory licensing or on ‘fair reasonable and non-discriminatory’ (FRAND) terms.

However, this goes against the premise that data is owned by an individual, and not by corporations which (though the access is provided by the individual) process and propose to monetise such data. Effective means of monetising ‘sensitive personal data’ is a tricky situation which we continue to grapple with – legally and infrastructurally.

The Draft Policy suggests: (a) restriction on sharing of data with entities outside India / foreign third parties, even with customer consent; and (b) that processing of data without consent should be dealt with sternly.

However, it neither makes a reference to consent requirements for sharing of sensitive data or manner of accessing ‘national data’, nor does it prescribe the consequences for default. Moreover, restrictions on sharing data across borders will restrict the ease of doing business globally and may be viewed as anti-competitive.

At present, the legislation governing data, including the Information Technology Act 2000 (along with the rules on sensitive personal data) and the Personal Data Protection Bill 2019 – each has a differing definition of ‘data’. Given the various sources and types of data, it is imperative that data be classified and accordingly be defined as ‘national data’, ‘individual data’, ‘sensitive data’, etc.

In the current form, the Draft Policy lacks clarity on the meaning of ‘data’ and fails to draw a connection with sector-specific laws, akin to the conundrum faced with the meaning of ‘control’ across legislations.

Consumer Protection?

The Draft Policy emphasises on protective measures, requiring ecommerce players to be vigilant and comply with various requirements such as making available seller details, undertaking regarding the genuineness of products, the requirement to obtain the trademark owner’s consent before listing high value or luxury products, e-grievance redressal mechanism, etc.

The Draft Policy, however, does not provide consequences for non-compliance or breach, either penal or monetary but instead relies on other authorities to prescribe penalties for non-compliance. The final policy should ensure that such penalties are commensurate with the consequences currently prescribed under other laws governing the use of data.

Impact Of The Draft Policy

With big-ticket investments such as Alibaba’s investment of $1.8 Bn in several Indian companies and Walmart’s acquisition of Flipkart for $16 Bn, one cannot ignore that India is and will increasingly be a key player in the global ecommerce space.

India has an additional two-fold advantage – a growing economy and population, both of which have the potential to generate tremendous data, placing the nation invaluable position, despite its absence from negotiations at the World Trade Organisation.

Following the outbreak of Covid-19 as a global pandemic, organisations across the world have implemented a ‘work from home’ policy, ensuring to the extent possible, that business runs as usual. This has resulted in various organisations collecting and processing various kinds of data including information relating to health, travel history, self-declaration forms, etc.

While not all of this may constitute sensitive personal data, from a data privacy perspective, this has serious implications given that collection of sensitive personal data requires prior consent. It will be interesting to see how the government addresses these concerns.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT

Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.